Fake ADP, Voicemail Notifications Used in Blackhole Campaigns

The recent wave of Blackhole campaigns don't appear to be based on the new new version of the infamous Blackhole exploit toolkit that hit underground forums earlie this week, according to researchers.

The attacks appear to be widespread, with email notifications claiming to come from various sources such as the Federal Deposit Insurance Corporation, ADP, Wells Fargo, and even the Better Business Bureau. Some attacks were standard notification emails, such as the one purporting to come from ADP that asked users to click through to a screen resembling their Online Invoice Management account to “protect the security of [their] data,” Ros Mossessco, a security analyst at Websense, wrote on the Security Labs blog.

Users click on the link in the email and find themselves redirected to a site created by the Blackhole toolkit with new obfuscation, “but we don't think these are Blackhole 2.0,” Mossessco wrote.

Another version of the campaign sent voicemail notification emails purporting to come from the recipient's Microsoft Exchange server, Lenny Zeltser, a product management director at NCR and an instructor at the SANS Institute, wrote on the Internet Storm Center. While the mail is crafted to look as if a .wav file, the voicemail, is attached to the message, it is actually just a link to the malicious site which attempted to load a malicious Java applet and obfuscated JavaScript, Zeltser wrote.

“We suspect it won't be long, though, until we come across similar campaigns that use the new version,” Mossessco predicted.

New Update to BlackholeJust as software companies release new versions to support new operating systems, the creators behind Blackhole have added support for the upcoming Windows 8 and mobile devices and a whole new set of expolit payloads to the malware kit. While the original announcement appeared on underground site Exploit.In in Russian (per Threatpost), the site Malware Don't Need Coffee translated the advertisement that was recopied on Pastebin using Google Translate.

Older exploits that are easily detected by security products have been removed from version 2.0 of Blackhole and the kit boasts a re-designed admin interface to make it even easier for technically-challenged cyber-criminals to be up and running easily.

The toolkit improved its plugin detection capabilities so that it attempts to download the malicious payload only when the target system is vulnerable. The tool blocks TOR traffic and improved how it checks the referrer headers. The new random URL generation system creates single-use Web addresses for attacks that have a tremendously short life spam. Random URLs will also make it difficult for security companies to revisit the link to download the exploit for analysis. It's also possible to specify human-readable links in the interface to generate URLs that are more likely to trick the users into thinking it is a legitimate address.

There may be more changes, but the post did not list them because “bragging and shouting in publis is simply not reasonable, because competition and the AV companies to not nap,” according to the post.

What is Blackhole?BlackHole is a Web-based software application which includes a collection of tools that can take advantage of security vulnerabilities in Web browsers, Flash, and Java to create malicious sites that would download malware onto victims' computers. Tremendously popular among cyber-criminals interested in launching sophisticated drive-by download campaigns, it is available as both as a software license as well as a software-as-a-service.

The toolkit has been around for about two years and has been regularly updated with new exploit packs. Version 2.0 appears to be a complete redesign from bottom up.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//Stay Connected

Get Product Reviews, Deals, & the Latest News from PCMag

sign up

Plus, get a free copy of PCMag for your iPhone or iPad today.

Offer valid for new PCMag app downloads only. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy.

THANK YOU FOR SUBSCRIBING!

Please follow this link (or search for the PC Magazine app on your iPad or iPhone) to get your free issue. Offer valid for new app downloads.